WordPress and its 64 million blogs are currently under attack by a botnet ‘tens of thousands’ of computers strong.
These sites are most at risk if you’ve kept your WordPress username as ‘admin’, as the botnet is tirelessly trying thousands of possible passwords to get in and mess things up. This bonnet has “supposedly” over 90,000 IP addresses so IP limiting and login throttling won’t help much.
WordPress founder Matt Mullenweg has some revolutionary advice, “Here’s what I would recommend: If you still use admin as a username on your blog, change it, use a strong password.”
Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today.
According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.
Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.
HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses.
WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections:
– Log in to the administrative panel and remove any unfamiliar admin users.
– Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time).
– Update the secret keys inside WordPress (otherwise any rogue admin user can remain logged in).
– Reinstall WordPress from scratch or revert to a known, safe backup.